alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING EvilTokens Fetch Valid user_code from Microsoft API"; flow:established,to_server; flowbits:set,ET.EvilTokens; http.method; content:"POST"; http.uri; bsize:17; content:"/api/device/start"; http.header; content:"x-antibot-token"; fast_pattern; nocase; depth:15; reference:url,blog.sekoia.io/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1/; classtype:credential-theft; sid:2068629; rev:1; metadata:affected_product MS_Outlook, affected_product Microsoft_OneDrive, affected_product Microsoft_Exchange, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_04_07, deployment Perimeter, confidence High, signature_severity Critical, tag EvilTokens, updated_at 2026_04_08;)